6 posts / 0 new
Last post
No 'Access-Control-Allow-Origin' header on https://api-cert.payeezy.com/v1/securitytokens (Sandbox)


I try to integrate with Payeezy, but I can't get security token.

Request: https://api-cert.payeezy.com/v1/securitytokens?apiKey=(myAPIKey)&credit_card.card_holder_name=test+test&credit_card.card_number=4111111111111111 &credit_card.cvv=123&credit_card.exp_date=1219&credit_card.type=VISA &js_security_key=js-efc4cec18fb3b5df6bb6e5a897d39bf7efc4cec18fb3b5df&ta_token=NOIW&type=FDToken.
Request Method:OPTIONS
Status Code:200 Success

Request Headers
Host: api-cert.payeezy.com
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
Origin: http://localhost:3000
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.85 Safari/537.36
Access-Control-Request-Headers: authorization
Accept: */*
Referer: http://localhost:3000/
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8,ru;q=0.6

Response Headers:
HTTP/1.1 200 Success
Content-Type: application/json
Date: Thu, 10 Sep 2015 11:37:43 GMT
Server: Apigee Router
statuscode: 500 ???
X-Backside-Transport: FAIL FAIL ???
Content-Length: 83
Connection: keep-alive

Console Output: XMLHttpRequest cannot load https://api-cert.payeezy.com/v1/securitytokens?apiKey=j9URr7rHsAzsjFZghoA93…fc4cec18fb3b5df6bb6e5a897d39bf7efc4cec18fb3b5df&ta_token=NOIW&type=FDToken. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:3000' is therefore not allowed access.

Re: No 'Access-Control-Allow-Origin' header on https://api...

Re: No 'Access-Control-Allow-Origin' header on https://api...


I tried, it doesn't work. The error is the same. Does your server allow cross-domain requests? Is CORS enabled?

When I make request from my domain (localhost) to your domain (api-cert.payeezy), I make cross-domain request. It is not secure, so server should include in response 'Access-Control-Allow-Origin: *' to allow this request.

As you can see there are no 'Access-Control-Allow-Origin' header in response, so I can't get security token on my client-side.


Re: No 'Access-Control-Allow-Origin' header on https://api...


CORS is not enabled for our server. However, you do not require it for the GET request. Here are my request and response headers when I tried that link.

  1. Request


  1. Accept:
  2. Accept-Encoding:
    gzip, deflate, sdch
  3. Accept-Language:
  4. Cache-Control:
  5. Connection:
  6. Cookie:
    utag_main=v_id:014f2d24ffb10001943c911fb55606066004b05e0086e$_sn:5$_ss:1$_st:1440704854773$_pn:1%3Bexp-session$ses_id:1440703054773%3Bexp-session; _gat=1; _ga=GA1.2.1596040029.1438883794
  7. Host:
  8. Upgrade-Insecure-Requests:
  9. User-Agent:
    Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.155 Safari/537.36
  11. Response
  12. Connection:
  13. Content-Language:
  14. Content-Length:
  15. Content-Type:
  16. correlation_id:
  17. Date:
    Fri, 11 Sep 2015 16:03:44 GMT
  18. OPTR_CXT:
    01000100003d9b3d06-3378-4462-a0d2-ca91979ffe6200000000-0000-0000-0000-000000000000-1 HTTP ;
  19. Server:
    Apigee Router
  20. statuscode:
  21. X-Archived-Client-IP:
  22. X-Backside-Transport:
  23. X-Client-IP:,
  24. X-Powered-By:

Re: No 'Access-Control-Allow-Origin' header on https://api...

Payeezy Team,

I think, your request works, because you make it from domain 'api-cert.payeezy.com' (header 'host' in request header) to the same domain, so your request is not cross-domain request.

I finally understand how it works. The method get securitytokens doesn't return token, it returns javascript file. Inside this file your callback is called with token object as parameter. The name of callback is taken from query parameter.

I tried to send simple get request and it doesn't work. So I get this url with all parameters and append scripts tag with src is equal to my url.
In this way, it works.

Payeezy.js works in the same way.

I develop my application based on angular and use some features, such as input masks, custom selects etc, so I can't use payeezy.js custom attributes to get field values, but I can get credit card data from form with angular. So it would be great, if payeezy.js allows to pass credit card data as parameter to create token and if you add information to docs about how to use this method appropriately to get token. It's unclear that I should include javascript file instead of make simple request.

Thank you.

Re: No 'Access-Control-Allow-Origin' header on https://api...

Hi Ronald

1. I had made the request from localhost. The HOST header is different than ORIGIN. Even in the headers you posted earlier, the HOST header is 'api-cert.payeezy.com'.

2. Thank you for your feedback.We will definitely look to improve our documentation.

There are 2 methods to get a token, one using HTTP GET and the other using HTTP POST. The custom attributes are part of the HTTP POST method. You do not require custom attributes with the HTTP GET method. The HTTP GET returns a JSON object with the token value which can be parsed to extract the token value.

Please review this example: https://htmlpreview.github.io/?https://github.com/payeezy/payeezy_js/blob/master/example/sample_v3.2.html

Please let me know if you have more questions.